MB-R098
XML parsers used by imports, integrations, or custom modules must disable external entity expansion and unsafe parser options. Insecure XML parsing can enable XXE, local file disclosure, SSRF, or denial of service. Flag usage patterns such as entity substitution, external DTD loading, or parser flags that expand untrusted XML content.
Magento integrations often parse XML from feeds, ERPs, shipping providers, payment systems, or imports. Unsafe XML parser settings can allow XXE, SSRF, local file disclosure, or denial of service.
Disabling external entity expansion and unsafe parser features keeps untrusted XML from reaching local files or internal network resources.
grep -RIE "(simplexml_load|DOMDocument|loadXML|LIBXML_NOENT|LIBXML_DTDLOAD)" app/code 2>/dev/null
# Confirm external entities and DTD loading are disabled for untrusted XML
$dom->loadXML($xml, LIBXML_NOENT | LIBXML_DTDLOAD);
# External entities may expand → FAIL
$dom->loadXML($xml, LIBXML_NONET);
# Network access blocked and no entity substitution → PASS